b"MEMORANDUM\n\nTO             :       Frank S. Holleman, III\n                       Deputy Secretary\n                       Office of the Deputy Secretary\n\n                       Judith A. Winston\n                       Acting Under Secretary\n                       Office of the Under Secretary\n\n\nFROM           :       Mary Mitchelson\n                       Assistant Inspector General\n                       Analysis and Inspection Services\n\nSUBJECT        :       Results of the OIG Review of OUS\xe2\x80\x99s Internal Controls Over the\n                       Procurement of Goods and Services (A&I 2000-011)\n\n\nINTRODUCTION\n\nThis is our report of our review of the Office of the Under Secretary\xe2\x80\x99s (OUS) internal\ncontrols over the procurement of goods and services. This review is part of our\nDepartment-wide review of this area. The Department\xe2\x80\x99s management is responsible for\nestablishing and maintaining internal controls. We will transmit the Department-wide\nresults to you with copies to the Assistant Secretaries and other senior staff when we\ncomplete our review. On August 11, 2000, Office of Inspector General (OIG) staff met\nwith Diane Rogers, Chief of Staff to the Deputy Secretary, and Steve Moore, Senior\nManagement Advisor, to discuss the results of this review.\n\nRESULTS\n\nDuring our review in OUS, we identified two instances of possible noncompliance with\nthe Federal Acquisition Regulation (FAR) and current Department policies and\nprocedures. The FAR requires the solicitation of quotes or offers from a reasonable\nnumber of sources or sole-source justification for any purchase of more than $2,500. We\nidentified:\n\n\xe2\x80\xa2    Undocumented sole-source procurement \xe2\x80\x93 A purchase over $2,500 did not have\n     documentation to verify that the purchase was made with the solicitation of at least\n\x0c    three bids or a justification statement for a sole-source purchase. The procurement\n    was made with a Third Party Draft for $8,396 to purchase computer equipment.\n\n\xe2\x80\xa2   Possible spilt procurement \xe2\x80\x93 A single purchase order was prepared for ink and\n    transparencies at an estimated cost of $5,800. The purchase was completed with the\n    use of three separate invoices for less than $2,500 each issued on the same day from\n    the same vendor and charged to the same purchase card.\n\nWe also identified three invoices that appeared to not have been paid timely as required\nby the Prompt Payment Act. Two invoices were marked either \xe2\x80\x9cpast due\xe2\x80\x9d or \xe2\x80\x9csecond\nrequest.\xe2\x80\x9d We identified another invoice that was dated February 1999, but was paid in\nJuly 1999.\n\nWe identified certain deficiencies, in addition to the possible instances of non-compliance\nidentified above, that prevent OUS from satisfying the General Accounting Office\xe2\x80\x99s\n(GAO) Standards for Internal Control in the Federal Government. For your information\nand corrective action, those deficiencies are listed in the attached chart (Attachment A).\nIn the future, we anticipate conducting a follow-up review to assess the actions you have\ntaken to satisfy GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government.\n\nIn addition, we want to advise you and OUS managers of inherent vulnerabilities we\nidentified in two Department procurement systems.\n\n\xc3\xbc Purchase Cards \xe2\x80\x93 For efficiency, the Department designed a purchase card system\n  where cardholders can order, receive and approve payments for goods and services.\n  Consequently, as a control, the Department established approving officials to review\n  the use of purchase cards. Therefore, it is important that approving officials properly\n  review all cardholder statements, including invoices, before forwarding them to the\n  Office of the Chief Financial Officer for payment.\n\n\xc3\xbc Third Party Drafts (TPDs) \xe2\x80\x93 An individual with signature authority can issue TPDs\n  without the involvement of anyone else. Therefore, it is important that, at a\n  minimum, the supervisor of the individual with signature authority conduct periodic\n  reviews of drafts issued.\n\nOBJECTIVE\n\nOur review objective was to assess the internal controls to ensure compliance with laws\nand regulations for the procurement of goods and services other than studies or\nevaluations.\n\nSCOPE\n\nWe limited our work to procurements in Washington, D.C. (Headquarters) using TPDs\nand purchase cards. We did not conduct testing on OUS\xe2\x80\x99s use of the \xe2\x80\x9cCorporate\xe2\x80\x9d\nGovernment Travel Accounts.\n\x0cMETHODOLOGY\n\nTo achieve our objectives, we conducted interviews with OUS staff who were involved\nwith the procurement process, and we reviewed relevant documents. As part of our\nwork, we reviewed samples of TPDs and purchase card transactions. For our review of\nTPDs, we selected a random sample of 50 TPDs issued between October 1998 through\nSeptember 1999 (FY 1999) and October 1999 through February 2000 (FY 2000). We\nreviewed the monthly purchase card statements dated between December 1998 and June\n2000 for OUS\xe2\x80\x99s three cardholders. Then, we judgmentally selected 50 transactions to\nreview. We also reviewed OUS monthly purchase card statements that were in the\nFinancial Management Policies and Administrative Programs Group files for the months\nof September 1999 and March 2000.\n\nWe based our conclusions about OUS\xe2\x80\x99s internal controls on the information gathered\nduring our interviews and transaction testing. We conducted our interviews and\ntransaction testing between May 15, 2000 and July 11, 2000. We assessed OUS\xe2\x80\x99s\ninternal controls based on GAO\xe2\x80\x99s Standards for Internal Control in the Federal\nGovernment issued November 1999. Attachment B to this memorandum contains a\nsummary of the GAO Standards. We conducted our work in accordance with the\nPresident's Council on Integrity and Efficiency Quality Standards for Inspections dated\nMarch 1993.\n\nWe appreciate the cooperation shown by your staff during our review. If you have any\nquestions regarding the results of this review, please call me at 260-3556.\n\n\nAttachments\n\x0c                                                                           Attachment B\n\n          GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government\n                        Components of Internal Control\n\n\xe2\x80\xa2   Control Environment \xe2\x80\x93 Management and employees should establish and maintain\n    an environment throughout the organization that sets a positive and supportive\n    attitude toward internal controls and conscientious management.\n\n    Factors:\n\n    3 Management and staff maintain and demonstrate integrity and ethical values.\n\n    3 Management maintains an active commitment to competence.\n\n    3 Management\xe2\x80\x99s philosophy and operating style exert a positive influence on the\n      organization (especially toward information systems, accounting, personnel\n      functions, monitoring and audits).\n\n    3 Organizational structure is appropriately centralized or decentralized, and\n      facilitates the flow of information across all activities.\n\n    3 Agency delegates authority and responsibility and establishes related policies\n      throughout the organization in a manner that provides for accountability and\n      control.\n\n    3 Agency establishes human resource policies and practices that enable it to recruit\n      and retain competent people to achieve its goals.\n\n\xe2\x80\xa2   Risk Assessment \xe2\x80\x93 Internal controls should provide for an assessment of the risks the\n    agency faces from both external and internal sources.\n\n    \xc3\xbc Precondition \xe2\x80\x93 establishment of clear and consistent agency objectives.\n\n    \xc3\xbc Risk assessment \xe2\x80\x93 the comprehensive identification and analysis of relevant risks\n      associated with achieving agency objectives, like those defined in strategic and\n      GPRA annual performance plans, and forming a basis for determining how the\n      agency should manage risks.\n\n    \xc3\xbc Risk identification \xe2\x80\x93 methods may include qualitative and quantitative ranking\n      activities, management conferences, forecasting and strategic planning, and\n      consideration of findings from audits and other assessments.\n\n    \xc3\xbc Risk analysis \xe2\x80\x93 generally includes estimating the risk\xe2\x80\x99s significance, assessing the\n      likelihood of its occurrence, and deciding how the agency should manage its risk.\n\x0c\xe2\x80\xa2   Control Activities \xe2\x80\x93 Internal control activities help ensure that employees carry out\n    management directives. The control activities should effectively and efficiently\n    accomplish agency control objectives.\n\n    3 The control activities are the policies, procedures, techniques, and mechanisms\n      that enforce management\xe2\x80\x99s directives. They help ensure that employees take\n      actions to address risks.\n\n    3 Control activities occur at all levels and functions of the entity, and include a wide\n      range of diverse activities such as approvals, authorizations, verifications,\n      reconciliations, performance reviews, maintenance of security, and creation and\n      maintenance of related records that document the execution of these activities.\n\n\xe2\x80\xa2   Information and Communications \xe2\x80\x93 Employees should record and communicate\n    information to management and others within the entity who need it in a form and\n    within a time frame that enables them to carry out their internal control (and other)\n    responsibilities effectively and efficiently.\n\n    3 An organization must have relevant, reliable, and timely communications relating\n      to internal as well as external events. Information is needed throughout the\n      agency to achieve all its operational and financial objectives.\n\n    3 Effective communications should occur in a broad sense with information flowing\n      down, across, and up the organization.\n\n    3 Management should ensure there are adequate means of communicating with, and\n      obtaining information from, external stakeholders that may have a significant\n      impact on the agency achieving its goals.\n\n\xe2\x80\xa2   Monitoring \xe2\x80\x93 Internal control monitoring should assess the quality of performance\n    over time and ensure that audit and other review findings are promptly resolved.\n\n    3 Includes regular management and supervisory activities, comparisons,\n      reconciliations, and other actions employees take in performing their duties.\n\n    3 Should include policies and procedures for ensuring that audit and other review\n      findings are promptly resolved.\n\x0cInternal Control Evaluation Form for the Office of the Under Secretary                                          Attachment A\n\n\nControl Component     Deficiencies\nControl Environment   \xe2\x80\xa2 Assignment of Authority \xe2\x80\x93 OCFO records indicate that one OUS cardholder has a single purchase limit\n                         of $25,000. Those records also indicate that the cardholder does not have the necessary training or\n                         warrant to have such a limit. This cardholder stated that her single purchase limit was $2,500.\n\nRisk Assessment       \xe2\x80\xa2   Identification of Risks \xe2\x80\x93 OUS has no formal procedures for risk assessment in the procurement area.\n\nControl Activities    \xe2\x80\xa2   Policies and Procedures \xe2\x80\x93 Although required by the Department\xe2\x80\x99s Directive on Commercial Credit Card\n                          Service (C:FIM:6-102) dated March 12, 1990, OUS has no written policies and procedures on the\n                          purchase card process.\n                      \xe2\x80\xa2   Purchase cards \xe2\x80\x93 OUS has three purchase cardholders. We reviewed the September 1999 and the March\n                          2000 statements from OCFO files. Our purpose was to verify that OUS had submitted all its monthly\n                          card statements with activity to OCFO and that the approving official had signed the card statements to\n                          support OCFO\xe2\x80\x99s Department-wide payments. We also judgmentally selected and reviewed 50 purchase\n                          card transactions.\n                          \xe2\x99\xa6 Approval of monthly purchase card statements:\n                             \xe2\x80\xa2 For September 1999, there were two purchase cards that had transaction activity. Only one\n                                 statement was located in the OCFO files.\n                             \xe2\x80\xa2 For March 2000, all three purchase cards had transaction activity and were accounted for in the\n                                 OCFO files. None of the statements were signed by the approving official. (In our review of\n                                 monthly statements in OUS\xe2\x80\x99s files, we found a much higher percentage of statements signed by\n                                 the approving official compared to the OUS statements we reviewed in OCFO\xe2\x80\x99s files.)\n                          \xe2\x99\xa6 Documentation \xe2\x80\x93 Supporting documents such as invoices and receipts were missing for five\n                              transactions.\n                          \xe2\x99\xa6 Compliance/Bids \xe2\x80\x93 As mentioned in the cover memorandum, we identified one acquisition that\n                              appears to be a spilt purchase to avoid the micro-purchase threshold of $2,500. A single purchase\n                              order was prepared for ink and transparencies at an estimated cost of $5,800. The purchase was\n\x0c                        completed with three sequentially numbered invoices for less than $2,500 each issued on the same\n                        day from the same vendor and charged to the same purchase card. All three charges had the same\n                        EDCAPS transaction number.\n                 \xe2\x80\xa2   Third Party Drafts (TPDs) \xe2\x80\x93 We reviewed 50 randomly selected TPDs.\n                     \xe2\x99\xa6 Documentation \xe2\x80\x93 The file for one of the requested TPDs was not available for review. Supporting\n                        documents such as invoices and receipts were missing for six other TPDs.\n                     \xe2\x99\xa6 Compliance/Bids \xe2\x80\x93 As mentioned in the cover memorandum, a procurement of $8,396 to purchase\n                        computer equipment lacked documentation to verify that this purchase was made with the solicitation\n                        of at least three bids or a justification statement for a sole-source purchase.\n                     \xe2\x99\xa6 Approval \xe2\x80\x93 Fourteen invoices had no documentation of preapproval by the Executive Officer. Four\n                        of those had documentation of preapproval by another individual.\n                     \xe2\x99\xa6 Date Stamping \xe2\x80\x93 Four invoices were not date stamped on receipt. The date of receipt is necessary to\n                        determine the payment due date under the Prompt Payment Act.\n                     \xe2\x99\xa6 Prompt Payment \xe2\x80\x93 We identified three invoices that appear to not have been paid timely as required\n                        by the Prompt Payment Act.\n\nInformation &    \xe2\x80\xa2   Communication of Key Information \xe2\x80\x93 The procurement staff that we interviewed were not familiar with\nCommunications       the Department\xe2\x80\x99s Directive on Commercial Credit Card Service.\n\nMonitoring       \xe2\x80\xa2   On-going Monitoring \xe2\x80\x93 The supervisor of the individual with signature authority for TPDs does not\n                     perform periodic reviews of the drafts issued by OUS.\n\x0c"